Mass surveillance is Being Undermined by the ‘Snowden Effect’

images?q=tbn:ANd9GcSaVZsC4O01k2zO_JsxeOSUw3QZru5SN-hydKPZFLwR7c4KiHkh

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos

We are in the middle of a Crypto war again. Perhaps we have always been in the middle of a Crypto war. Since the 70s, the right and ability to encrypt private communications has been fought over, time and again. Here in the UK, Cameron’s re-election has prompted reports of a ‘turbo-charged’ version of the so-called ‘Snoopers’ Charter’, extending further the powers of surveillance that the whistleblower Edward Snowden described as having ‘no limits’.

Two nights ago, the US Patriot Act expired. With it, at least officially, elements of the NSA’s bulk surveillance programme expired too. The law was passed in the wake of 9/11, in order to ‘strengthen domestic security’ and ‘broaden the powers of law-enforcement agencies with regards to identifying and stopping terrorists’. Section 215 of the Act had allowed the NSA to collect mobile phone data on millions of Americans. For the time being, that provision has gone. In the same week, the UN published a report saying encryption is ‘crucial for human rights’.

But the law is only half the story. Privacy advocates were, of course, cautious not to overstate the significance of the act’s suspension. But behind this caution, their successes are far more extensive than the symbolic demise of the Patriot Act. From the perspective of surveillance, the damage has already been done.

The ‘Snowden effect’, named after the whistleblower responsible for outing government surveillance in the US and UK, has brought more companies and technologists to the fight. Their purpose? To provide privacy tools that are powerful, open-source and accessible to the masses. And these groups are winning. As fears over our privacy continue to grow and the government talks about further extending surveillance capability, ordinary people are turning to these tools. What’s more, for the first time, they are beginning to be adopted on a massive scale.

Scale is a significant change, and a significant challenge to security services. Take Tor. Tor is a web browser-cum-network that scrambles your connections and makes your internet browsing more difficult to track. Both Tor and other publicly-available encryption tools always come with a caveat. Although frequently very powerful, especially in combination with one another, they are not perfect. With enough work and with the resources at the disposal of government organisations, a single user’s communications are at risk: the sheer firepower that the security services can use to break into secure channels means that a single suspect is up against it.

This is probably a good thing. If we believe our security services should have the resources to protect us from those who would plan acts of terrorism, for example, then they must be able to intercept the communications of suspects under investigation. Isis advise use of encryption to its supporters in order to protect their identities and whereabouts. Anders Breivik wrote a blog on it. If a suspect was under investigation we would rightly expect MI5 to use wiretaps and human surveillance, after all. Digital communications should be no different.

But what the mass uptake of this kind of software threatens is mass surveillance. Cracking one encryption key is difficult but possible. Cracking millions is a different proposition. Mass uptake of encryption and of VPNs – virtual private networks designed to hide your identity – is anathema to dragnet collection of data.

Take instant messaging, for example. It is estimated that the 700m users of the app WhatsApp currently send thirty billion messages a day. This alone poses a real challenge to those calling for those messages to be somehow ‘read’ and analysed; how on earth do you read 350,000 messages a second? Over the past few years the Centre for the Analysis of Social media at Demos has done a lot of work in partnership with the University of Sussex on ‘Natural Language Processing’, the science of teaching computers to find meaning in the words we use. Conclusion: it isn’t easy. Algorithms are never perfect, and they go out of date quickly as the way we speak changes.

But now, WhatsApp on Android is end-to-end encrypted, with the possibility of extending this to iOS. Thirty billion encrypted messages a day on one platform alone. True, the levels of encryption provided to a single user under investigation won’t stand up to security service surgery, but they will provide a strong barrier to understanding this data in bulk.

WhatsApp is owned by Facebook. Today, Facebook announced the site would allow its users to encrypt emails sent from the site to their personal accounts. It already provides a ‘dark web’ link which allows access through Tor. Whether its users will take advantage of this to increase their levels of security isn’t clear, but it is tacit approval of encryption from one of the biggest technology companies on the planet. And it isn’t just encrypted communications that are becoming more mainstream.

Hola is a peer-to-peer network. It claims to ‘provide everyone on the planet with freedom to access all of the Web’. Put simply, when you use it, your connection is routed through somebody else’s computer, and when you’re not using it, your computer is offered to others for the same purpose. It is wildly popular among those looking to dodge restrictions placed on, say, television shows. Recent estimates place its use at fifty million worldwide.

Hola has been the subject of some controversy of late: above all, they weren’t quite being straight up about the risks of letting somebody else use your internet connection. Nevertheless, it is the first example of a network that is both very difficult to monitor and censor that has really hit the mainstream by offering a slick and desirable service. The much more ethically-sound and established Tor browser has less than a tenth of its userbase, but is also growing. The Ethereum project is a similar attempt to decentralise the internet and take it out of the control of the government and big companies, making it more private and impossible to censor. It raised $12 million in crowd-funded support.

What this means for the security services, and our own security, is difficult to say. The UN has recognised the vital role these tools play in protecting those at risk of oppression. Human rights activists living under government oppression, for example, or citizens looking to bypass government censorship all rely on these tools daily to avoid persecution. In our recent Demos report with my colleague Jamie Bartlett we argue that there is a balance that must be struck in dealing with this kind of powerful technology.

But lack of dialogue between governments and cryptographers, the no-man’s land between the two sides of this crypto war, is deafening. As long as the security services remain silent and Snowden keeps talking, encryption and moves to protect private communication on the internet will accelerate. It is time the government joined the debate, not as enemies of privacy, but as level-headed, publicly accountable figures whose job it is to protect us from those who would do us harm.

Spectator: http://ow.ly/NRX6b 

Alex Krasodomski is a researcher at the Centre for the Analysis of Social Media at Demos. He can be found tweeting @akrasodomski

« Cyber Vulnerability Report 2015
NSA Surveillance Reform - Snowden’s Vindication. »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

TÜV SÜD Academy UK

TÜV SÜD Academy UK

TÜV SÜD offers expert-led cybersecurity training to help organisations safeguard their operations and data.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

authen2cate

authen2cate

Authen2cate offers a simple way to provide application access with our Identity and Access Management (IAM) solutions for enterprise, small business, and individual customers alike.

Synology

Synology

Synology provides high-performance, reliable, and secure Network Attached Storage (NAS) products.

OASIS Open

OASIS Open

OASIS Open is where individuals, organizations, and governments come together to solve some of the world’s biggest technical challenges through the development of open code and open standards.

Secardeo

Secardeo

Secardeo is a provider of corporate solutions using digital signatures and certificates. Our solutions enable the user transparent end-to-end encryption of e-mails between organizations.

Entel CyberSecure

Entel CyberSecure

Entel CyberSecure is a portfolio of Cybersecurity solutions and services for the protection, defense, risk management and regulatory compliance of ICT Systems for corporations and Government.

Statice

Statice

Statice develops state-of-the-art data privacy technology that helps companies double-down on data-driven innovation while safeguarding the privacy of individuals.

SecureStack

SecureStack

SecureStack helps software developers find security & scalability gaps in their web applications and offers ways to fix those gaps without forcing those developers to become security experts.

Foundries.io

Foundries.io

Foundries.io have built a secure, open source platform for the world's connected devices, and a cloud service to configure this to any hardware and any cloud.

Periculus

Periculus

Periculus makes managing digital risk simple. Its integrated platform offers access to purchase cyber insurance and cyber security solutions uniquely tailored to fit the needs of every business.

The Cyber Guild

The Cyber Guild

The Cyber Guild is a not-for-profit organization working to improve the understanding and practice of cybersecurity, and to help raise awareness and education for all.

Moonsense

Moonsense

Moonsense is on a mission to level the playing field in the fight against online fraud.

US Department of State - Bureau of Cyberspace & Digital Policy

US Department of State - Bureau of Cyberspace & Digital Policy

The Bureau of Cyberspace and Digital Policy leads and coordinates the Department’s work on cyberspace and digital diplomacy to encourage responsible state behavior in cyberspace.

Oxygen Technologies

Oxygen Technologies

Oxygen Technologies is a business systems strategy and integration company offering a variety of solutions to give our clients ways to work smarter not harder.

BCX

BCX

BCX, a subsidiary within Telkom Group, is one of Africa’s largest systems integrator and digital transformation partners for enterprises and public sector organisations.

Cloud Native Computing Foundation (CNCF)

Cloud Native Computing Foundation (CNCF)

CNCF seeks to drive adoption of cloud native technologies by fostering and sustaining an ecosystem of open source, vendor-neutral projects.

ThreatMate

ThreatMate

ThreatMate empowers businesses with comprehensive tools to detect, protect, and remediate against cyber threats.